aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/haproxy.pp17
-rw-r--r--manifests/haproxy/endpoint.pp13
-rw-r--r--manifests/profile/base/database/redis.pp2
-rw-r--r--manifests/profile/base/gnocchi/api.pp24
-rw-r--r--manifests/profile/base/pacemaker.pp8
-rw-r--r--manifests/profile/base/pacemaker_remote.pp7
-rw-r--r--manifests/profile/pacemaker/ovn_northd.pp36
7 files changed, 41 insertions, 66 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 208f328..6b305cb 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -780,7 +780,7 @@ class tripleo::haproxy (
'cookie' => 'SERVERID insert indirect nocache',
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'redirect' => 'scheme https code 301 if !{ ssl_fc }',
'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
@@ -902,17 +902,8 @@ class tripleo::haproxy (
}
if $keystone_public {
- if $service_certificate {
- $keystone_public_tls_listen_opts = {
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
- # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
- }
- } else {
- $keystone_public_tls_listen_opts = {
- 'option' => [ 'httpchk GET /v3', ],
- }
+ $keystone_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -921,7 +912,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 16e0bd1..f1e80e8 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint (
# service exposed to the public network
if $public_certificate {
+ if $mode == 'http' {
+ $tls_listen_options = {
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'option' => 'forwardfor',
+ }
+ $listen_options_real = merge($tls_listen_options, $listen_options)
+ } else {
+ $listen_options_real = $listen_options
+ }
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
+ $listen_options_real = $listen_options
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
} else {
@@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint (
bind => $bind_opts,
collect_exported => false,
mode => $mode,
- options => $listen_options,
+ options => $listen_options_real,
}
haproxy::balancermember { "${name}":
listening_service => $name,
diff --git a/manifests/profile/base/database/redis.pp b/manifests/profile/base/database/redis.pp
index 830ffc6..e357359 100644
--- a/manifests/profile/base/database/redis.pp
+++ b/manifests/profile/base/database/redis.pp
@@ -37,7 +37,7 @@ class tripleo::profile::base::database::redis (
$step = Integer(hiera('step')),
) {
if $step >= 2 {
- if $bootstrap_nodeid == $::hostname {
+ if downcase($bootstrap_nodeid) == $::hostname {
$slaveof = undef
} else {
$slaveof = "${bootstrap_nodeid} 6379"
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 4572397..3953f04 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -89,12 +89,11 @@ class tripleo::profile::base::gnocchi::api (
$tls_keyfile = undef
}
- if $step >= 3 and $sync_db {
+ if $step >= 4 and $sync_db {
include ::gnocchi::db::sync
}
- if $step >= 3 {
- include ::gnocchi::api
+ if $step >= 4 or ($step >= 3 and $sync_db) {
include ::apache::mod::ssl
class { '::gnocchi::wsgi::apache':
ssl_cert => $tls_certfile,
@@ -107,19 +106,20 @@ class tripleo::profile::base::gnocchi::api (
coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
}
case $gnocchi_backend {
- 'swift': { include ::gnocchi::storage::swift }
+ 'swift': {
+ include ::gnocchi::storage::swift
+ if $sync_db {
+ include ::swift::deps
+ # Ensure we have swift proxy available before running gnocchi-upgrade
+ # as storage is initialized at this point.
+ Anchor<| title == 'swift::service::end' |> ~> Class['Gnocchi::db::sync']
+ }
+ }
'file': { include ::gnocchi::storage::file }
'rbd': { include ::gnocchi::storage::ceph }
default: { fail('Unrecognized gnocchi_backend parameter.') }
}
+ include ::gnocchi::api
}
- # Re-run gnochci upgrade with storage as swift/ceph should be up at this
- # stage.
- if $step >= 5 and $sync_db {
- exec {'run gnocchi upgrade with storage':
- command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf',
- path => ['/usr/bin', '/usr/sbin'],
- }
- }
}
diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp
index 264723b..bc15e62 100644
--- a/manifests/profile/base/pacemaker.pp
+++ b/manifests/profile/base/pacemaker.pp
@@ -111,9 +111,11 @@ class tripleo::profile::base::pacemaker (
cluster_setup_extras => $cluster_setup_extras,
remote_authkey => $remote_authkey,
}
- class { '::pacemaker::stonith':
- disable => !$enable_fencing,
- tries => $pcs_tries,
+ if $pacemaker_master {
+ class { '::pacemaker::stonith':
+ disable => !$enable_fencing,
+ tries => $pcs_tries,
+ }
}
if $enable_fencing {
include ::tripleo::fencing
diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp
index 6b96713..f4265ff 100644
--- a/manifests/profile/base/pacemaker_remote.pp
+++ b/manifests/profile/base/pacemaker_remote.pp
@@ -46,11 +46,6 @@ class tripleo::profile::base::pacemaker_remote (
}
$enable_fencing_real = str2bool($enable_fencing) and $step >= 5
- class { '::pacemaker::stonith':
- disable => !$enable_fencing_real,
- tries => $pcs_tries,
- }
-
if $enable_fencing_real {
include ::tripleo::fencing
@@ -58,7 +53,5 @@ class tripleo::profile::base::pacemaker_remote (
Pcmk_resource<||> -> Class['tripleo::fencing']
Pcmk_constraint<||> -> Class['tripleo::fencing']
Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing']
- # enable stonith after all fencing devices have been created
- Class['tripleo::fencing'] -> Class['pacemaker::stonith']
}
}
diff --git a/manifests/profile/pacemaker/ovn_northd.pp b/manifests/profile/pacemaker/ovn_northd.pp
index fcf14ff..212c345 100644
--- a/manifests/profile/pacemaker/ovn_northd.pp
+++ b/manifests/profile/pacemaker/ovn_northd.pp
@@ -32,7 +32,8 @@
# Defaults to hiera('pcs_tries', 20)
#
# [*ovn_dbs_vip*]
-# (Optional) The OVN database virtual IP to be managed by the pacemaker.
+# (Optional) The vip to be used for OVN DB servers. It is expected that
+# the vip resource to be created before calling this class.
# Defaults to hiera('ovn_dbs_vip')
#
# [*nb_db_port*]
@@ -67,21 +68,9 @@ class tripleo::profile::pacemaker::ovn_northd (
$ovndb_servers_ocf_name = 'ovn:ovndb-servers'
$ovndb_vip_resource_name = "ip-${ovn_dbs_vip}"
- if is_ipv6_address($ovn_dbs_vip) {
- $netmask = '128'
- $nic = interface_for_ip($ovn_dbs_vip)
- } else {
- $netmask = '32'
- $nic = ''
- }
-
- pacemaker::resource::ip { "${ovndb_vip_resource_name}":
- ip_address => $ovn_dbs_vip,
- cidr_netmask => $netmask,
- nic => $nic,
- tries => $pcs_tries,
- }
-
+ # By step 3, all the VIPs would have been created.
+ # After creating ovn ocf resource, colocate it with the
+ # VIP - ip-${ovn_dbs_vip}.
pacemaker::resource::ocf { "${ovndb_servers_resource_name}":
ocf_agent_name => "${ovndb_servers_ocf_name}",
master_params => '',
@@ -96,15 +85,6 @@ class tripleo::profile::pacemaker::ovn_northd (
meta_params => 'notify=true'
}
- pacemaker::constraint::order { "${ovndb_vip_resource_name}-then-${ovndb_servers_resource_name}":
- first_resource => "${ovndb_vip_resource_name}",
- second_resource => "${ovndb_servers_resource_name}-master",
- first_action => 'start',
- second_action => 'start',
- constraint_params => 'kind=Mandatory',
- tries => $pcs_tries,
- }
-
pacemaker::constraint::colocation { "${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}":
source => "${ovndb_vip_resource_name}",
target => "${ovndb_servers_resource_name}-master",
@@ -113,9 +93,7 @@ class tripleo::profile::pacemaker::ovn_northd (
tries => $pcs_tries,
}
- Pacemaker::Resource::Ip["${ovndb_vip_resource_name}"] ->
- Pacemaker::Resource::Ocf["${ovndb_servers_resource_name}"] ->
- Pacemaker::Constraint::Order["${ovndb_vip_resource_name}-then-${ovndb_servers_resource_name}"] ->
- Pacemaker::Constraint::Colocation["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"]
+ Pacemaker::Resource::Ocf["${ovndb_servers_resource_name}"] ->
+ Pacemaker::Constraint::Colocation["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"]
}
}